Yearn Finance Hack - February 2021 ($11M)
Overview
The v1 yDAI vault suffered an exploit which was mitigated on February 4, 2021. The attacker used an Aave flash loan to trigger the vault draining, while the protocol lost $11 million from its compromised vault, the attacker managed to get away with only $2.8 million.
Attack Mechanism
The vault attacked was Yearn's v1 DAI vault, which had updated to a new investment strategy, and the vault's strategy at the time of the attack was to deposit all funds into the "3pool" on the automated market maker (AMM) Curve. Someone deposited a bunch to Curve 3pool to manipulate DAI price given by the pool, and the vault somehow was relying on the DAI price given by this pool, then the contract withdrew after the attack and repeated many times taking flash-borrowed funds.
Technical Details
The attack was mitigated in approximately 11 minutes, and it consisted of a series of 160 transactions where the attacker deposited and withdrew value in the pools at unfavorable rates. The exploit was performed through a string of flash loans gathered from dYdX and Aave V2, and the hacker used these flash loans to interact with Compound and Curve Finance.
Aftermath
Thanks to the developers' quick action, the protocol was able to protect the rest of the stored funds, worth $24 million in DAI, out of the total $35 million that was stored within the vault. Tether announced the freeze of $1.7 million in USDT involved in the attack.
Sources